security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
remove_users_launch_daemon
atomic-red-team/atomics/Indexes/Matrices/windows-matrix.md
T
Atomic Red Team doc generator 30dd8f5ea7 Generated docs from job=generate-docs branch=master [ci skip]
2025-02-23 15:45:26 +00:00

56 KiB
Raw Permalink Blame History

Windows Atomic Tests by ATT&CK Tactic & Technique

initial-access execution persistence privilege-escalation defense-evasion credential-access discovery lateral-movement collection exfiltration command-and-control impact
External Remote Services Scheduled Task/Job: Scheduled Task Scheduled Task/Job: Scheduled Task Process Injection: Extra Window Memory Injection Process Injection: Extra Window Memory Injection Adversary-in-the-Middle CONTRIBUTE A TEST System Owner/User Discovery Remote Services:VNC CONTRIBUTE A TEST Archive Collected Data: Archive via Utility Exfiltration Over Web Service CONTRIBUTE A TEST Socket Filters CONTRIBUTE A TEST Disk Structure Wipe CONTRIBUTE A TEST
Compromise Software Dependencies and Development Tools CONTRIBUTE A TEST Windows Management Instrumentation Socket Filters CONTRIBUTE A TEST Scheduled Task/Job: Scheduled Task Socket Filters CONTRIBUTE A TEST Input Capture: Keylogging System Network Configuration Discovery: Internet Connection Discovery Taint Shared Content CONTRIBUTE A TEST Screen Capture Exfiltration Over Webhook CONTRIBUTE A TEST Data Encoding: Standard Encoding Direct Network Flood CONTRIBUTE A TEST
Phishing: Spearphishing Link Server Software Component Boot or Logon Initialization Scripts CONTRIBUTE A TEST Boot or Logon Initialization Scripts CONTRIBUTE A TEST Fileless Storage CONTRIBUTE A TEST Brute Force: Password Guessing Permission Groups Discovery CONTRIBUTE A TEST Replication Through Removable Media Adversary-in-the-Middle CONTRIBUTE A TEST Scheduled Transfer CONTRIBUTE A TEST Domain Generation Algorithms CONTRIBUTE A TEST External Defacement CONTRIBUTE A TEST
Phishing: Spearphishing Attachment Command and Scripting Interpreter: JavaScript Path Interception by PATH Environment Variable CONTRIBUTE A TEST Path Interception by PATH Environment Variable CONTRIBUTE A TEST Signed Binary Proxy Execution: Rundll32 OS Credential Dumping Group Policy Discovery Remote Services: SMB/Windows Admin Shares Input Capture: Keylogging Exfiltration Over Other Network Medium CONTRIBUTE A TEST Application Layer Protocol: DNS OS Exhaustion Flood CONTRIBUTE A TEST
Compromise Hardware Supply Chain CONTRIBUTE A TEST Inter-Process Communication: Dynamic Data Exchange Event Triggered Execution: PowerShell Profile Event Triggered Execution: PowerShell Profile Embedded Payloads CONTRIBUTE A TEST Steal Web Session Cookie Device Driver Discovery Use Alternate Authentication Material CONTRIBUTE A TEST Sharepoint CONTRIBUTE A TEST Exfiltration Over Bluetooth CONTRIBUTE A TEST Publish/Subscribe Protocols CONTRIBUTE A TEST Application Exhaustion Flood CONTRIBUTE A TEST
Replication Through Removable Media User Execution: Malicious File Create or Modify System Process CONTRIBUTE A TEST Create or Modify System Process CONTRIBUTE A TEST File/Path Exclusions CONTRIBUTE A TEST OS Credential Dumping: Security Account Manager Account Discovery: Domain Account Remote Services CONTRIBUTE A TEST Audio Capture Automated Exfiltration Symmetric Cryptography CONTRIBUTE A TEST Disk Wipe CONTRIBUTE A TEST
Supply Chain Compromise Component Object Model CONTRIBUTE A TEST External Remote Services Abuse Elevation Control Mechanism: Bypass User Account Control Signed Script Proxy Execution: Pubprn Brute Force: Password Cracking Account Discovery: Local Account Remote Service Session Hijacking CONTRIBUTE A TEST Archive via Custom Method CONTRIBUTE A TEST Exfiltration Over Symmetric Encrypted Non-C2 Protocol CONTRIBUTE A TEST Fast Flux DNS CONTRIBUTE A TEST Stored Data Manipulation CONTRIBUTE A TEST
Exploit Public-Facing Application CONTRIBUTE A TEST Scheduled Task/Job CONTRIBUTE A TEST Pre-OS Boot: System Firmware Hijack Execution Flow: Services Registry Permissions Weakness Path Interception by PATH Environment Variable CONTRIBUTE A TEST OS Credential Dumping: LSA Secrets Virtualization/Sandbox Evasion: System Checks Remote Services: Windows Remote Management Email Collection CONTRIBUTE A TEST Exfiltration to Code Repository CONTRIBUTE A TEST Application Layer Protocol Service Stop
Content Injection CONTRIBUTE A TEST Native API Hijack Execution Flow: Services Registry Permissions Weakness Boot or Logon Autostart Execution Direct Volume Access Forge Web Credentials: SAML token CONTRIBUTE A TEST Permission Groups Discovery: Domain Groups Remote Services: Distributed Component Object Model Data from Removable Media Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Remote Access Software Application or System Exploitation CONTRIBUTE A TEST
Valid Accounts: Default Accounts Command and Scripting Interpreter: AutoHotKey & AutoIT Bootkit CONTRIBUTE A TEST Active Setup Hide Artifacts: Email Hiding Rules CONTRIBUTE A TEST Password Managers CONTRIBUTE A TEST System Service Discovery Use Alternate Authentication Material: Pass the Ticket Data Staged: Local Data Staging Exfiltration Over C2 Channel Content Injection CONTRIBUTE A TEST Runtime Data Manipulation CONTRIBUTE A TEST
Trusted Relationship CONTRIBUTE A TEST Command and Scripting Interpreter Boot or Logon Autostart Execution Domain Trust Modification CONTRIBUTE A TEST Encrypted/Encoded File CONTRIBUTE A TEST Network Sniffing Network Sniffing Software Deployment Tools Email Collection: Local Email Collection Exfiltration Over Alternative Protocol Traffic Signaling CONTRIBUTE A TEST Reflection Amplification CONTRIBUTE A TEST
Phishing CONTRIBUTE A TEST User Execution CONTRIBUTE A TEST Active Setup Create or Modify System Process: Windows Service Rootkit CONTRIBUTE A TEST Unsecured Credentials: Credentials in Registry Network Share Discovery Exploitation of Remote Services CONTRIBUTE A TEST Automated Collection Exfiltration over USB CONTRIBUTE A TEST Protocol Tunneling Service Exhaustion Flood CONTRIBUTE A TEST
Valid Accounts CONTRIBUTE A TEST Software Deployment Tools Create or Modify System Process: Windows Service Boot or Logon Autostart Execution: Print Processors Masquerading: Double File Extension Modify Authentication Process: Password Filter DLL Peripheral Device Discovery Internal Spearphishing CONTRIBUTE A TEST Clipboard Data Exfiltration Over Web Service: Exfiltration to Text Storage Sites Mail Protocols CONTRIBUTE A TEST Defacement CONTRIBUTE A TEST
Spearphishing Voice CONTRIBUTE A TEST Command and Scripting Interpreter: PowerShell Office Application Startup Hijack Execution Flow: DLL Search Order Hijacking Abuse Elevation Control Mechanism: Bypass User Account Control Steal or Forge Kerberos Tickets: AS-REP Roasting System Information Discovery Lateral Tool Transfer Remote Data Staging CONTRIBUTE A TEST Exfiltration Over Web Service: Exfiltration to Cloud Storage Communication Through Removable Media CONTRIBUTE A TEST Bandwidth Hijacking CONTRIBUTE A TEST
Compromise Software Supply Chain CONTRIBUTE A TEST Inter-Process Communication Boot or Logon Autostart Execution: Print Processors AppDomainManager CONTRIBUTE A TEST Pre-OS Boot: System Firmware Steal or Forge Kerberos Tickets CONTRIBUTE A TEST System Network Configuration Discovery: Wi-Fi Discovery Remote Service Session Hijacking: RDP Hijacking Data from Local System Data Transfer Size Limits External Proxy CONTRIBUTE A TEST Financial Theft CONTRIBUTE A TEST
Domain Accounts CONTRIBUTE A TEST Lua CONTRIBUTE A TEST Hijack Execution Flow: DLL Search Order Hijacking Scheduled Task/Job CONTRIBUTE A TEST Hijack Execution Flow: Services Registry Permissions Weakness Credentials from Password Stores Application Window Discovery Use Alternate Authentication Material: Pass the Hash Archive Collected Data: Archive via Library CONTRIBUTE A TEST Exfiltration Over Physical Medium CONTRIBUTE A TEST Proxy CONTRIBUTE A TEST Defacement: Internal Defacement
Hardware Additions CONTRIBUTE A TEST Exploitation for Client Execution CONTRIBUTE A TEST Office Application Startup: Add-ins Additional Local or Domain Groups CONTRIBUTE A TEST Bootkit CONTRIBUTE A TEST Unsecured Credentials Email Account CONTRIBUTE A TEST Remote Services: Remote Desktop Protocol Archive Collected Data Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol Dynamic Resolution CONTRIBUTE A TEST Compute Hijacking CONTRIBUTE A TEST
Drive-by Compromise CONTRIBUTE A TEST Command and Scripting Interpreter: Python CONTRIBUTE A TEST Server Software Component: Transport Agent Thread Execution Hijacking Mavinject CONTRIBUTE A TEST Hybrid Identity CONTRIBUTE A TEST Time Based Evasion CONTRIBUTE A TEST Browser Session Hijacking CONTRIBUTE A TEST Web Service CONTRIBUTE A TEST Data Manipulation CONTRIBUTE A TEST
Spearphishing via Service CONTRIBUTE A TEST System Services CONTRIBUTE A TEST AppDomainManager CONTRIBUTE A TEST Event Triggered Execution: Application Shimming Masquerading: Match Legitimate Name or Location Credentials from Password Stores: Credentials from Web Browsers Browser Bookmark Discovery DHCP Spoofing CONTRIBUTE A TEST DNS Calculation CONTRIBUTE A TEST Account Access Removal
Valid Accounts: Local Accounts Command and Scripting Interpreter: Windows Command Shell Scheduled Task/Job CONTRIBUTE A TEST Boot or Logon Autostart Execution: Port Monitors Masquerade File Type CONTRIBUTE A TEST DHCP Spoofing CONTRIBUTE A TEST System Network Configuration Discovery Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay Multi-Stage Channels CONTRIBUTE A TEST Data Encrypted for Impact
Command and Scripting Interpreter: Visual Basic Modify Authentication Process: Password Filter DLL Process Injection Hide Artifacts Unsecured Credentials: Private Keys Account Discovery CONTRIBUTE A TEST Web Portal Capture CONTRIBUTE A TEST Port Knocking CONTRIBUTE A TEST Endpoint Denial of Service CONTRIBUTE A TEST
Malicious Link CONTRIBUTE A TEST Server Software Component: Terminal Services DLL Escape to Host CONTRIBUTE A TEST Domain Trust Modification CONTRIBUTE A TEST Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay Domain Trust Discovery Video Capture File Transfer Protocols CONTRIBUTE A TEST Resource Hijacking CONTRIBUTE A TEST
System Services: Service Execution Browser Extensions Boot or Logon Autostart Execution: Shortcut Modification Impair Defenses: Safe Boot Mode OS Credential Dumping: LSASS Memory File and Directory Discovery Email Collection: Email Forwarding Rule CONTRIBUTE A TEST One-Way Communication CONTRIBUTE A TEST Transmitted Data Manipulation CONTRIBUTE A TEST
Scheduled Task/Job: At Outlook Rules CONTRIBUTE A TEST Boot or Logon Autostart Execution: Security Support Provider Virtualization/Sandbox Evasion: System Checks Brute Force: Password Spraying System Network Connections Discovery Data Staged CONTRIBUTE A TEST Proxy: Multi-hop Proxy Data Destruction
Additional Local or Domain Groups CONTRIBUTE A TEST Hijack Execution Flow: Path Interception by Search Order Hijacking Signed Binary Proxy Execution: InstallUtil Web Portal Capture CONTRIBUTE A TEST Virtualization/Sandbox Evasion CONTRIBUTE A TEST Input Capture: GUI Input Capture Data Obfuscation CONTRIBUTE A TEST Network Denial of Service CONTRIBUTE A TEST
Event Triggered Execution: Application Shimming Domain Policy Modification: Group Policy Modification Stripped Payloads CONTRIBUTE A TEST OS Credential Dumping: Cached Domain Credentials Log Enumeration Data from Network Shared Drive Non-Standard Port Firmware Corruption CONTRIBUTE A TEST
Boot or Logon Autostart Execution: Port Monitors Valid Accounts: Default Accounts Hijack Execution Flow: DLL Search Order Hijacking Steal or Forge Kerberos Tickets: Golden Ticket Process Discovery Email Collection: Remote Email Collection CONTRIBUTE A TEST Encrypted Channel Inhibit System Recovery
Traffic Signaling CONTRIBUTE A TEST Time Providers Code Signing CONTRIBUTE A TEST Steal or Forge Authentication Certificates User Activity Based Checks CONTRIBUTE A TEST Input Capture CONTRIBUTE A TEST Bidirectional Communication CONTRIBUTE A TEST Disk Content Wipe CONTRIBUTE A TEST
Boot or Logon Autostart Execution: Shortcut Modification Abuse Elevation Control Mechanism CONTRIBUTE A TEST File and Directory Permissions Modification: Windows File and Directory Permissions Modification Unsecured Credentials: Credentials In Files Permission Groups Discovery: Local Groups ARP Cache Poisoning CONTRIBUTE A TEST Asymmetric Cryptography CONTRIBUTE A TEST System Shutdown/Reboot
Boot or Logon Autostart Execution: Security Support Provider Create Process with Token AppDomainManager CONTRIBUTE A TEST Web Cookies CONTRIBUTE A TEST Password Policy Discovery Data from Information Repositories CONTRIBUTE A TEST Non-Application Layer Protocol
Hybrid Identity CONTRIBUTE A TEST Boot or Logon Autostart Execution: Winlogon Helper DLL Signed Binary Proxy Execution: Msiexec Unsecured Credentials: Group Policy Preferences System Location Discovery: System Language Discovery Input Capture: Credential API Hooking Protocol or Service Impersonation CONTRIBUTE A TEST
Hijack Execution Flow: Path Interception by Search Order Hijacking Event Triggered Execution: Image File Execution Options Injection Modify Authentication Process: Password Filter DLL Network Provider DLL CONTRIBUTE A TEST Query Registry Domain Fronting CONTRIBUTE A TEST
Server Software Component: Web Shell Process Doppelgänging CONTRIBUTE A TEST Clear Network Connection History and Configurations CONTRIBUTE A TEST Forge Web Credentials CONTRIBUTE A TEST System Location Discovery Data Encoding CONTRIBUTE A TEST
Valid Accounts: Default Accounts Executable Installer File Permissions Weakness CONTRIBUTE A TEST Indicator Removal on Host: Clear Command History Multi-Factor Authentication Request Generation CONTRIBUTE A TEST Software Discovery: Security Software Discovery Non-Standard Encoding CONTRIBUTE A TEST
Time Providers Event Triggered Execution: Accessibility Features Indirect Command Execution Exploitation for Credential Access CONTRIBUTE A TEST Remote System Discovery Application Layer Protocol: Web Protocols
Create Account: Local Account Process Injection: Asynchronous Procedure Call Deobfuscate/Decode Files or Information Input Capture: GUI Input Capture Network Service Discovery Ingress Tool Transfer
Boot or Logon Autostart Execution: Winlogon Helper DLL Event Triggered Execution: AppCert DLLs Impair Defenses Brute Force CONTRIBUTE A TEST Software Discovery Hide Infrastructure CONTRIBUTE A TEST
Event Triggered Execution: Image File Execution Options Injection Device Registration CONTRIBUTE A TEST Thread Execution Hijacking Brute Force: Credential Stuffing Debugger Evasion Data Obfuscation via Steganography
Executable Installer File Permissions Weakness CONTRIBUTE A TEST Process Injection: Portable Executable Injection Masquerading Multi-Factor Authentication CONTRIBUTE A TEST System Time Discovery Fallback Channels CONTRIBUTE A TEST
Event Triggered Execution: Accessibility Features Access Token Manipulation: Token Impersonation/Theft Email Collection: Mailbox Manipulation Forced Authentication Proxy: Internal Proxy
Create Account: Domain Account Make and Impersonate Token CONTRIBUTE A TEST Process Injection Input Capture CONTRIBUTE A TEST Dead Drop Resolver CONTRIBUTE A TEST
Component Firmware CONTRIBUTE A TEST Event Triggered Execution: Windows Management Instrumentation Event Subscription Traffic Signaling CONTRIBUTE A TEST ARP Cache Poisoning CONTRIBUTE A TEST Junk Data CONTRIBUTE A TEST
Office Application Startup: Office Template Macros. Access Token Manipulation: Parent PID Spoofing Signed Binary Proxy Execution Steal or Forge Kerberos Tickets: Silver Ticket
Event Triggered Execution: AppCert DLLs Event Triggered Execution: Change Default File Association Indicator Removal on Host: Timestomp Credentials from Password Stores: Windows Credential Manager
Device Registration CONTRIBUTE A TEST Services File Permissions Weakness CONTRIBUTE A TEST Reflective Code Loading Domain Controller Authentication CONTRIBUTE A TEST
Pre-OS Boot CONTRIBUTE A TEST Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder Mutual Exclusion CONTRIBUTE A TEST Reversible Encryption CONTRIBUTE A TEST
Port Knocking CONTRIBUTE A TEST Account Manipulation Ignore Process Interrupts CONTRIBUTE A TEST Multi-Factor Authentication Interception CONTRIBUTE A TEST
Network Provider DLL CONTRIBUTE A TEST KernelCallbackTable CONTRIBUTE A TEST Time Based Evasion CONTRIBUTE A TEST OS Credential Dumping: NTDS
Event Triggered Execution: Windows Management Instrumentation Event Subscription Hijack Execution Flow CONTRIBUTE A TEST Signed Binary Proxy Execution: CMSTP Steal or Forge Kerberos Tickets: Kerberoasting
Compromise Host Software Binary CONTRIBUTE A TEST Valid Accounts CONTRIBUTE A TEST Impair Defenses: Disable Windows Event Logging OS Credential Dumping: DCSync
Event Triggered Execution: Change Default File Association Process Injection: Process Hollowing Signed Binary Proxy Execution: Control Panel Modify Authentication Process CONTRIBUTE A TEST
Services File Permissions Weakness CONTRIBUTE A TEST Exploitation for Privilege Escalation CONTRIBUTE A TEST Use Alternate Authentication Material CONTRIBUTE A TEST Input Capture: Credential API Hooking
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder Event Triggered Execution Impair Defenses: Disable or Modify System Firewall
Account Manipulation Access Token Manipulation: SID-History Injection Subvert Trust Controls: SIP and Trust Provider Hijacking
KernelCallbackTable CONTRIBUTE A TEST Authentication Package Hybrid Identity CONTRIBUTE A TEST
Outlook Forms CONTRIBUTE A TEST Event Triggered Execution: Component Object Model Hijacking Electron Applications CONTRIBUTE A TEST
Hijack Execution Flow CONTRIBUTE A TEST Hijack Execution Flow: Path Interception by Unquoted Path Rogue Domain Controller
Valid Accounts CONTRIBUTE A TEST Domain Accounts CONTRIBUTE A TEST Subvert Trust Controls: Code Signing Policy Modification
Multi-Factor Authentication CONTRIBUTE A TEST Network Logon Script CONTRIBUTE A TEST Modify Registry
IIS Components Event Triggered Execution: AppInit DLLs Hijack Execution Flow: Path Interception by Search Order Hijacking
Event Triggered Execution Event Triggered Execution: Screensaver Obfuscated Files or Information: Binary Padding CONTRIBUTE A TEST
Authentication Package Installer Packages CONTRIBUTE A TEST Domain Policy Modification: Group Policy Modification
Event Triggered Execution: Component Object Model Hijacking Access Token Manipulation CONTRIBUTE A TEST Valid Accounts: Default Accounts
Office Application Startup: Outlook Home Page Thread Local Storage CONTRIBUTE A TEST Indicator Removal on Host: Clear Windows Event Logs
Hijack Execution Flow: Path Interception by Unquoted Path Hijack Execution Flow: DLL Side-Loading File and Directory Permissions Modification
Domain Accounts CONTRIBUTE A TEST Account Manipulation: Additional Email Delegate Permissions CONTRIBUTE A TEST Abuse Elevation Control Mechanism CONTRIBUTE A TEST
Network Logon Script CONTRIBUTE A TEST Boot or Logon Initialization Scripts: Logon Script (Windows) Create Process with Token
BITS Jobs Process Injection: ListPlanting Signed Binary Proxy Execution: Odbcconf
Event Triggered Execution: AppInit DLLs Domain or Tenant Policy Modification CONTRIBUTE A TEST Process Doppelgänging CONTRIBUTE A TEST
Event Triggered Execution: Screensaver Boot or Logon Autostart Execution: LSASS Driver Executable Installer File Permissions Weakness CONTRIBUTE A TEST
Server Software Component CONTRIBUTE A TEST Scheduled Task/Job: At Impair Defenses: Indicator Blocking
Domain Controller Authentication CONTRIBUTE A TEST Process Injection: Dynamic-link Library Injection Right-to-Left Override CONTRIBUTE A TEST
Reversible Encryption CONTRIBUTE A TEST Event Triggered Execution: Netsh Helper DLL Component Firmware CONTRIBUTE A TEST
Installer Packages CONTRIBUTE A TEST Valid Accounts: Local Accounts Indicator Removal on Host
Create Account CONTRIBUTE A TEST Hijack Execution Flow: COR_PROFILER Use Alternate Authentication Material: Pass the Ticket
Hijack Execution Flow: DLL Side-Loading Masquerading: Masquerade Task or Service
Account Manipulation: Additional Email Delegate Permissions CONTRIBUTE A TEST Process Injection: Asynchronous Procedure Call
Power Settings CONTRIBUTE A TEST Subvert Trust Controls: Mark-of-the-Web Bypass
Boot or Logon Initialization Scripts: Logon Script (Windows) Pre-OS Boot CONTRIBUTE A TEST
Office Application Startup: Office Test Process Injection: Portable Executable Injection
Boot or Logon Autostart Execution: LSASS Driver Verclsid CONTRIBUTE A TEST
Scheduled Task/Job: At Impair Defenses: Downgrade Attack
Modify Authentication Process CONTRIBUTE A TEST Virtualization/Sandbox Evasion CONTRIBUTE A TEST
Event Triggered Execution: Netsh Helper DLL Signed Binary Proxy Execution: Mshta
SQL Stored Procedures CONTRIBUTE A TEST Execution Guardrails CONTRIBUTE A TEST
Valid Accounts: Local Accounts Access Token Manipulation: Token Impersonation/Theft
Hijack Execution Flow: COR_PROFILER Port Knocking CONTRIBUTE A TEST
LNK Icon Smuggling CONTRIBUTE A TEST
Hide Artifacts: Hidden Users
Make and Impersonate Token CONTRIBUTE A TEST
Impair Defenses: Impair Command History Logging
Network Provider DLL CONTRIBUTE A TEST
User Activity Based Checks CONTRIBUTE A TEST
Access Token Manipulation: Parent PID Spoofing
Services File Permissions Weakness CONTRIBUTE A TEST
KernelCallbackTable CONTRIBUTE A TEST
Signed Binary Proxy Execution: Compiled HTML File
Indicator Removal on Host: Network Share Connection Removal
Impair Defenses: Disable or Modify Tools
Hijack Execution Flow CONTRIBUTE A TEST
Indicator Removal from Tools CONTRIBUTE A TEST
Valid Accounts CONTRIBUTE A TEST
Process Injection: Process Hollowing
Obfuscated Files or Information
Multi-Factor Authentication CONTRIBUTE A TEST
Invalid Code Signature CONTRIBUTE A TEST
Run Virtual Instance
Polymorphic Code CONTRIBUTE A TEST
Access Token Manipulation: SID-History Injection
Subvert Trust Controls CONTRIBUTE A TEST
Signed Binary Proxy Execution: Regsvr32
Masquerading: Rename System Utilities
Spoof Security Alerting CONTRIBUTE A TEST
Hijack Execution Flow: Path Interception by Unquoted Path
Steganography CONTRIBUTE A TEST
Domain Accounts CONTRIBUTE A TEST
Signed Binary Proxy Execution: Regsvcs/Regasm
Subvert Trust Controls: Install Root Certificate
Obfuscated Files or Information: Compile After Delivery
VBA Stomping CONTRIBUTE A TEST
BITS Jobs
Trusted Developer Utilities Proxy Execution: MSBuild
Impersonation CONTRIBUTE A TEST
Hide Artifacts: Hidden Window
ClickOnce CONTRIBUTE A TEST
Relocate Malware CONTRIBUTE A TEST
Clear Persistence CONTRIBUTE A TEST
Masquerade Account Name CONTRIBUTE A TEST
Domain Controller Authentication CONTRIBUTE A TEST
HTML Smuggling
Reversible Encryption CONTRIBUTE A TEST
Command Obfuscation CONTRIBUTE A TEST
Indicator Removal on Host: File Deletion
Template Injection
Access Token Manipulation CONTRIBUTE A TEST
Obfuscated Files or Information: Software Packing CONTRIBUTE A TEST
Hidden File System CONTRIBUTE A TEST
Thread Local Storage CONTRIBUTE A TEST
Debugger Evasion
Use Alternate Authentication Material: Pass the Hash
Hijack Execution Flow: DLL Side-Loading
SyncAppvPublishingServer CONTRIBUTE A TEST
Obfuscated Files or Information: Dynamic API Resolution
Process Injection: ListPlanting
Domain or Tenant Policy Modification CONTRIBUTE A TEST
XSL Script Processing
Hide Artifacts: Hidden Files and Directories
Environmental Keying CONTRIBUTE A TEST
Hide Artifacts: NTFS File Attributes
Process Injection: Dynamic-link Library Injection
Modify Authentication Process CONTRIBUTE A TEST
Signed Script Proxy Execution
Valid Accounts: Local Accounts
Exploitation for Defense Evasion CONTRIBUTE A TEST
Trusted Developer Utilities Proxy Execution
MMC CONTRIBUTE A TEST
Process Argument Spoofing CONTRIBUTE A TEST
Hijack Execution Flow: COR_PROFILER
Reference in New Issue View Git Blame Copy Permalink